RHEL 10 must disable access to the network bpf system call from nonprivileged processes.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-281335 | SRG-OS-000132-GPOS-00067 | RHEL-10-800030 | SV-281335r1167155_rule | 2026-03-11 | 1 |
Description
Loading and accessing the packet filters programs and maps using the bpf() system call has the potential to reveal sensitive information about the kernel state.
ℹ️ Check
Verify RHEL 10 prevents privilege escalation through the kernel by disabling access to the bpf system call.
Check the status of the "kernel.unprivileged_bpf_disabled" kernel parameter with the following command:
$ sysctl kernel.unprivileged_bpf_disabled
kernel.unprivileged_bpf_disabled = 1
If "kernel.unprivileged_bpf_disabled" is not set to "1" or is missing, this is a finding.
✔️ Fix
Configure RHEL 10 to prevent privilege escalation through the kernel by disabling access to the bpf system call.
Create the drop-in file if it does not already exist:
$ sudo vi /etc/sysctl.d/99-kernel_unprivileged_bpf_disabled
Add the following line to the file:
kernel.unprivileged_bpf_disabled = 1
Reload settings from all system configuration files with the following command:
$ sudo sysctl --system